Real-time vulnerability monitoring

ABSTRACT

Abstract of the Disclosure 
     A security information management system is described, wherein client-side devices preferably collect and monitor information describing the operating system, software, and patches installed on the device(s), as well as configuration thereof.  A database of this information is maintained, along with data describing vulnerabilities of available software and associated remediation techniques available for it.  The system exposes an API to support security-related decisions by other applications.  For example, an intrusion detection system (IDS) accesses the database to determine whether an actual threat exists and should be (or has been) blocked.

Detailed Description of the Invention Cross-Reference to Related Applications

This application claims the benefit of U.S. Provisional Application No. 60/484,085. This application is also related to applications titled MULTIPLE-PATH REMEDIATION (Attorney Docket No. 36029-4), POLICY-PROTECTION PROXY (Attorney Docket No. 36029-5), VULNERABILITY AND REMEDIATION DATABASE (Attorney Docket No. 36029-6), AUTOMATED STAGED PATCH AND POLICY MANAGEMENT (Attorney Docket No. 36029-7), and CLIENT CAPTURE OF VULNERABILITY DATA (Attorney Docket 36029-8), all filed on even date herewith. All of these applications are hereby incorporated herein by reference as if fully set forth.

Field of the Invention

The present invention relates to computer systems, and more particularly to management of security of computing and network devices that are connected to other such devices.

Background

With the growing popularity of the Internet and the increasing reliance by individuals and businesses on networked computers, network security management has become a critical function for many people. Furthermore, with computing systems themselves becoming more complex, security vulnerabilities in a product are often discovered long after the product is released into general distribution. Improved methods are needed, therefore, for managing updates and patches to software systems, and for managing configurations of those systems.

The security management problem is still more complex, though. Often techniques intended to remediate vulnerabilities (such as configuration changes, changes to policy settings, or application of patches) add additional problems. Sometimes patches to an operating system or application interfere with operation of other applications, and can inadvertently disable mission-critical services and applications of an enterprise. At other times, remediation steps open other vulnerabilities in software. There is, therefore, a need for improved security management techniques.

Summary

One form of the present invention is a database of information about a plurality of devices, updated in real-time and used by an application to make a security-related decision. The database stores data indicating the installed operating system(s), installed software, patches that have been applied, system policies that are in place, and configuration information for each device. The database answers queries by one or more devices or applications attached by a network to facilitate security-related decision making. In one form of this embodiment, a firewall or router handles a connection request or maintenance of a connection based on the configuration information stored in the database that relates to one or both of the devices involved in the transmission.

Brief Description of the Drawings

Fig. 1 is a block diagram of a networked system of computers in one embodiment of the present invention.

Fig. 2 is a block diagram showing components of several computing devices in the system of Fig. 1.

Figs. 3 and 4 trace signals that travel through the system of Figs. 1 and 2 and the present invention is applied to them.

Description

For the purpose of promoting an understanding of the principles of the present invention, reference will now be made to the embodiment illustrated in the drawings and specific language will be used to describe the same. It will, nevertheless, be understood that no limitation of the scope of the invention is thereby intended; any alterations and further modifications of the described or illustrated embodiments, and any further applications of the principles of the invention as illustrated therein are contemplated as would normally occur to one skilled in the art to which the invention relates.

Generally, the present invention in its preferred embodiment operates in the context of a network as shown in Fig. 1. System 100 includes a vulnerability and remediation database 110 connected by Internet 120 to subnet 130. In this exemplary embodiment, firewall 131 serves as the gateway between Internet 120 and the rest of subnet 130. Router 133 directs connections between computers 137 and each other and other devices on Internet 120. Server 135 collects certain information and provides certain data services that will be discussed in further detail herein.

In particular, security server 135 includes processor 142, and memory 144 encoded with programming instructions executable by processor 142 to perform several important security-related functions. For example, security server 135 collects data from devices 131, 133, 137, and 139, including the software installed on those devices, their configuration and policy settings, and patches that have been installed. Security server 135 also obtains from vulnerability and remediation database 110 a regularly updated list of security vulnerabilities in software for a wide variety of operating systems, and even in the operating systems themselves. Security server 135 also downloads a regularly updated list of remediation techniques that can be applied to protect a device from damage due to those vulnerabilities. In a preferred embodiment, each vulnerability in remediation database 110 is identified by a vulnerability identifier, and the vulnerability identifier can be used to retrieve remediation information from database 110 (and from database 146, discussed below in relation to Fig. 2).

In this preferred embodiment, computers 137 and 139 each comprise a processor 152, 162, memory 154, 164, and storage 156, 166. Computer 137 executes a client-side program (stored in storage 156, loaded into memory 154, and executed by processor 152) that maintains an up-to-date collection of information regarding the operating system, service pack (if applicable), software, and patches installed on computer 137, and the policies and configuration data (including configuration files, and elements that may be contained in files, such as *.ini and *.conf files and registry information, for example), and communicates that information on a substantially real-time basis to security server 135. In an alternative embodiment, the collection of information is not retained on computer 137, but is only communicated once to security server 135, then is updated in real time as changes to that collection occur.

Computer 139 stores, loads, and executes a similar software program that communicates configuration information pertaining to computer 139 to security server 135, also substantially in real time. Changes to the configuration registry in computer 139 are monitored, and selected changes are communicated to security server 135 so that relevant information is always available. Security server 135 may connect directly to and request software installation status and configuration information from firewall 131 and router 133, for embodiments wherein firewall 131 and router 133 do not have a software program executing on them to communicate this information directly.

This collection of information is made available at security server 135, and combined with the vulnerability and remediation data from source 110. The advanced functionality of system 100 is thereby enabled as discussed further herein.

Turning to Fig. 2, one sees additional details and components of the devices in subnet 130. Computers 137 and 139 are traditional client or server machines, each having a processor 152, 162, memory 154, 164, and storage 156, 166. Firewall 131 and router 133 also have processors 172, 182 and storage 174, 184, respectively, as is known in the art. In this embodiment, devices 137 and 139 each execute a client-side program that continuously monitors the software installation and configuration status for that device. Changes to that status are communicated in substantially real time to security server 135, which continuously maintains the information in database 146. Security server 135 connects directly to firewall 131 and router 133 to obtain software installation and configuration status for those devices in the absence of a client-side program running thereon.

Processors 142, 152, 162 may each be comprised of one or more components configured as a single unit. Alternatively, when of a multi-component form, processor 142, 152, 162 may each have one or more components located remotely relative to the others. One or more components of processor 142, 152, 162 may be of the electronic variety defining digital circuitry, analog circuitry, or both. In one embodiment, processor 142, 152, 162 are of a conventional, integrated circuit microprocessor arrangement, such as one or more PENTIUM 4 or XEON processors from INTEL Corporation of 2200 Mission College Boulevard, Santa Clara, California, 95052, USA, or ATHLON XP processors from Advanced Micro Devices, One AMD Place, Sunnyvale, California, 94088, USA.

Memories 144, 154, 164 may include one or more types of solid-state electronic memory, magnetic memory, or optical memory, just to name a few. By way of non-limiting example, memory 40b may include solid-state electronic Random Access Memory (RAM), Sequentially Accessible Memory (SAM) (such as the First-In, First-Out (FIFO) variety or the Last-In First-Out (LIFO) variety), Programmable Read Only Memory (PROM), Electrically Programmable Read Only Memory (EPROM), or Electrically Erasable Programmable Read Only Memory (EEPROM); an optical disc memory (such as a DVD or CD ROM); a magnetically encoded hard drive, floppy disk, tape, or cartridge media; or a combination of any of these memory types. Also, memories 144, 154, 164 may be volatile, nonvolatile, or a hybrid combination of volatile and nonvolatile varieties.

In this exemplary embodiment, storage 146, 156, 166 comprises one or more of the memory types just given for memories 144, 154, 164, preferably selected from the non-volatile types.

This collection of information is used by system 100 in a wide variety of ways. With reference to Fig. 3, assume for example that a connection request 211 arrives at firewall 131 requesting that data be transferred to computer 137. The payload of request 211 is, in this example, a probe request for a worm that takes advantage of a particular security vulnerability in a certain computer operating system. Based on characteristics of the connection request 211, firewall 131 sends a query 213 to security server 135. Query 213 includes information that security server 135 uses to determine (1) the intended destination of connection request 211, and (2) some characterization of the payload of connection request 211, such as a vulnerability identifier. Security server 135 uses this information to determine whether connection request 211 is attempting to take advantage of a particular known vulnerability of destination machine 137, and uses information from database 146 (see Fig. 2) to determine whether the destination computer 137 has the vulnerable software installed, and whether the vulnerability has been patched on computer 137, or whether computer 137 has been configured so as to be invulnerable to a particular attack.

Security server 135 sends result signal 217 back to firewall 131 with an indication of whether the connection request should be granted or rejected. If it is to be granted, firewall 131 passes the request to router 133 as request 219, and router 133 relays the request as request 221 to computer 137, as is understood in the art. If, on the other hand, signal 217 indicates that connection request 211 is to be rejected, firewall 133 drops or rejects the connection request 211 as is understood in the art.

Analogous operation can protect computers within subnet 130 from compromised devices within subnet 130 as well. For example, Fig. 4 illustrates subnet 130 with computer 137 compromised. Under the control of a virus or worm, for example, computer 137 sends connection attempt 231 to router 133 in an attempt to probe or take advantage of a potential vulnerability in computer 139. On receiving connection request 231, router 133 sends relevant information about request 231 in a query 233 to security server 135. Similarly to the operation discussed above in relation to Fig. 3, security server 135 determines whether connection request 231 poses any threat, and in particular any threat to software on computer 139. If so, security server 135 determines whether the vulnerability has been patched, and if not, it determines whether computer 139 has been otherwise configured to avoid damage due to that vulnerability. Security server 135 replies with signal 235 to query 233 with that answer. Router 133 uses response 235 to determine whether to allow the connection attempt.

In some embodiments, upon a determination by security server 135 that a connection attempt or other attack has occurred against a computer that is vulnerable (based on its current software, patch, policy, and configuration status), security server 135 selects one or more remediation techniques from database 146 that remediate the particular vulnerability. Based on a prioritization previously selected by an administrator or the system designer, the remediation technique(s) are applied (1) to the machine that was attacked, (2) to all devices subject to the same vulnerability (based on their real-time software, patch, policy, and configuration status), or (3) to all devices to which the selected remediation can be applied.

In various embodiments, remediation techniques include the closing of open ports on the device; installation of a patch that is known to correct the vulnerability; changing the device’s configuration; stopping, disabling, or removing services; setting or modifying policies; and the like. Furthermore, in various embodiments, events and actions are logged (preferably in a non-volatile medium) for later analysis and review by system administrators. In these embodiments, the log also stores information describing whether the target device was vulnerable to the attack.

A real-time status database according to the present invention has many other applications as well. In some embodiments, the database 146 is made available to an administrative console running on security server 135 or other administrative terminal. When a vulnerability is newly discovered in software that exists in subnet 130, administrators can immediately see whether any devices in subnet 130 are vulnerable to it, and if so, which ones. If a means of remediation of the vulnerability is known, the remediation can be selectively applied to only those devices subject to the vulnerability.

In some embodiments, the database 146 is integrated into another device, such as firewall 131 or router 133, or an individual device on the network. While some of these embodiments might avoid some failures due to network instability, they substantially increase the complexity of the device itself. For this reason, as well as the complexity of maintaining security database functions when integrated with other functions, the network-attached device embodiment described above in relation to Figs. 1-4 is preferred.

In a preferred embodiment, a software development kit (SDK) allows programmers to develop security applications that access the data collected in database 146. The applications developed with the SDK access information using a defined application programming interface (API) to retrieve vulnerability, remediation, and device status information available to the system. The applications then make security-related determinations and are enabled to take certain actions based on the available data.

In these exemplary systems, “configuration information” for each device may take the form of initialization files (often named *.ini or *.conf), configuration registry (such as the Windows Registry on Microsoft WINDOWS operating systems), or configuration data held in volatile or non-volatile memory. Such configuration information often determines what and how data is accepted from other devices, sent to other devices, processed, stored, or otherwise handled, and in many cases determines what routines and sub-routines are executed in a particular application or operating system.

All publications, prior applications, and other documents cited herein are hereby incorporated by reference in their entirety as if each had been individually incorporated by reference and fully set forth.

While the invention has been illustrated and described in detail in the drawings and foregoing description, the same is to be considered as illustrative and not restrictive in character, it being understood that only the preferred embodiments have been shown and described and that all changes and modifications that would occur to one skilled in the relevant art are desired to be protected. 

1. A system, comprising: a plurality of computing devices, each comprising a processor and memory, wherein the memory is encoded with programming instructions executable by the processor; a database of device status information that characterizes zero or more vulnerabilities to which each of the computing devices is subject, wherein the device status information is kept current in substantially real time; and an application that transmits a query signal to the database; receives a result signal, responsive to the query signal, from the database; and makes a security-related determination based on the result signal.
 2. The system of claim 1, wherein the application is an intrusion detection system, and the security-related determination is whether to produce a signal indicating that an intrusion attempt has occurred.
 3. The system of claim 1, wherein: the application is selected from the group of applications consisting of a firewall, a proxy, and a router; and the security-related determination is whether to allow a connection to pass.
 4. The system of claim 1, wherein the security-related determination is selected from the group consisting of: whether to block a connection attempt; whether to pass a communication from one device to another through a network; and whether to permit software to be installed.
 5. The system of claim 4, wherein the connection attempt is a request from an external device to connect with at least one of the plurality of computing devices.
 6. The system of claim 4, wherein the connection attempt is a request from one of the computing devices to connect with another of the computing devices.
 7. The system of claim 1, wherein the query signal and the result signal are each transmitted over a network.
 8. The system of claim 1, wherein for at least one of the plurality of computing devices, the device status information is kept current by a software agent executed by the processor of each of the at least one of the plurality of computing devices.
 9. The system of claim 8, wherein: a set of programming instructions for the software agent is encoded in the memory of the at least one computing device; and the set of programming instructions is executed by the processor of the at least one computing device.
 10. The system of claim 1, wherein a single computing device hosts the database of device status information and the application.
 11. The system of claim 10, wherein the single computing device is not in the plurality of computing devices.
 12. A method, comprising: transferring data including device status information from at least one client computer to a server incorporating a database in substantially real time; receiving a connection request at an application; transmitting a query signal from the application to the server, the query signal including information characterizing the connection request; transmitting a result signal, responsive to the query signal, from the server to the application; and making and executing a security-related determination relating to the connection request, wherein the determination is made as a function of the information in the query signal and data in the database.
 13. The method of claim 12, wherein the determination is to block the connection request.
 14. The method of claim 12, wherein the determination is made by the application based on the result signal.
 15. The method of claim 12, wherein: the determination is made by the server; the determination is reflected by information in the result signal; and the executing is performed by the application.
 16. The method of claim 12, wherein: the application is an intrusion detection system; and the determination is to produce a signal indicating that an intrusion attempt has occurred.
 17. The method of claim 12, wherein for each of the at least one client computers, the database includes: information that characterizes zero or more vulnerabilities to which the client computer is subject; data identifying an operating system, software, and patches installed on the client computer; software security information associated with the operating system, software, and patches; and data characterizing the system policy settings and configuration data on the client computer.
 18. The method of claim 12, further comprising transferring a data stream including vulnerability remediation information from at least one vulnerability remediation database to the server.
 19. The method of claim 18, wherein the data stream includes: data characterizing security vulnerabilities for one or more operating systems; and vulnerability remediation information, the vulnerability remediation information including vulnerability remediation techniques for the security vulnerabilities.
 20. The method of claim 19, further comprising: selecting a remediation technique for a vulnerability of the at least one client computer; and applying the selected vulnerability remediation technique, wherein the selecting is performed by the server, and the applying is performed by the at least one client computer.
 21. The method of claim 12, wherein: the at least one client computer is on a subnet; and the connection request includes a request from a source that is not on the subnet to connect with the at least one client computer.
 22. The method of claim 12, wherein: the plurality of computing devices includes a first client computer and a second client computer; and the connection request includes a request from the first client computer to connect with the second client computer.
 23. The method of claim 12, wherein the connection request includes a request from an external source to install a software program on one of the at least one client computers.
 24. An apparatus, comprising a device encoded with logic executable by one or more processors to communicate with a database of device status information to make a security-related determination, wherein: the device status information includes information representing zero or more vulnerabilities of a client computer, updated in substantially real time; and the determination is made as a function of the device status information.
 25. The apparatus of claim 24, wherein the communication with the database includes: the device transmitting a query signal to the database; and the database transmitting a result signal, responsive to the query signal and containing information from the database, to the device.
 26. The apparatus of claim 25, wherein the determination is made based on the result signal.
 27. The apparatus of claim 24, wherein the determination is selected from the group consisting of: whether to block a connection attempt; whether to pass a communication from one device to another through a network; and whether to permit software to be installed.
 28. The apparatus of claim 24, wherein the device is an intrusion detection system, and the determination includes whether to produce a signal that indicates an intrusion attempt has occurred.
 29. The apparatus of claim 24, wherein the device status information further includes information representing vulnerabilities and remediation techniques received from a vulnerability remediation database.
 30. The apparatus of claim 29, wherein the determination includes: selecting one or more remediation techniques; and remediating one or more vulnerabilities of the client computer according to the one or more selected techniques.
 31. A method, comprising: receiving device status information for one or more computing devices in substantially real time; detecting one or more vulnerabilities of the one or more computing devices based on the device status information; selecting one or more remediation techniques from a first database, the one or more remediation techniques corresponding to the one or more detected vulnerabilities; and remediating the one or more detected vulnerabilities according to the one or more selected remediation techniques.
 32. The method of claim 31, wherein the receiving, detecting, and selecting are performed by a server incorporating the first database.
 33. The method of claim 31, wherein: the remediation techniques are initially stored in a second database; and the remediation techniques are periodically updated from the second database to the first database.
 34. The method of claim 31, wherein for at least one of the plurality of computing devices, the device status information is updated in substantially real time by a software agent executed by a processor of the at least one computing device.
 35. The method of claim 34, wherein: a set of programming instructions for the software agent is encoded in a memory of the at least one computing device; and the set of programming instructions is executed by a processor of the at least one computing device.
 36. A system, comprising: a plurality of computing devices, each comprising at least one processor and memory, wherein the memory is encoded with programming instructions executable by the processor; a database of security information, wherein: the security information includes device status information that characterizes zero or more vulnerabilities to which each of the computing devices is subject; the security information also includes one or more remediation techniques; the device status information is kept current in substantially real time; and the system is operable to select remediation techniques as a function of the security information and remediate vulnerabilities to which the computing devices are subject according to the selected remediation techniques; and an application that makes security-related determinations as a function of the security information.
 37. The system of claim 36, wherein the application: transmits a query signal to the database; receives a result signal, responsive to the query signal, from the database; and makes a security-related determination based on the result signal.
 38. The system of claim 36, wherein: the application is an intrusion detection system; and the determination is whether to generate a signal indicating that an intrusion attempt has occurred.
 39. The system of claim 36, wherein the application is selected from the group consisting of a firewall, a proxy, and a router. 